../Reply Bars LARGEP.eps

Transcript

1 They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices ⋆ † ⋆ † † Shyamnath Gollakota Kevin Fu Haitham Hassanieh Dina Katabi Benjamin Ransford ⋆ † University of Massachusetts, Amherst Massachusetts Institute of Technology {ransford, kevinfu}@cs.u mass.edu {gshyam, haithamh, dk}@mit.edu monitoring of patients’ vital signs and improved care provi ders’ ABSTRACT ability to deliver timely treatment, leading to a better hea lth care Wireless communication has become an intrinsic part of mode rn system [31]. implantable medical devices (IMDs). Recent work, however, has Recent work, however, has shown that such wireless connecti v- demonstrated that wireless connectivity can be exploited t o com- ity can be exploited to compromise the confidentiality of the IMD’s end promise the confidentiality of IMDs’ transmitted data or to s transmitted data or to send the IMD unauthorized commands— unauthorized commands to IMDs—even commands that cause the to even commands that cause the IMD to deliver an electric shock allenge device to deliver an electric shock to the patient. The key ch the patient [21, 22]. In other systems, designers use crypto graphic in addressing these attacks stems from the difficulty of modi fying methods to provide confidentiality and prevent unauthorize d ac- or replacing already-implanted IMDs. Thus, in this paper, w e ex- cess. However, adding cryptography directly to IMDs themselves rom such plore the feasibility of protecting an implantable device f is difficult for the following reasons: attacks without modifying the device itself. We present a ph ysical- layer solution that delegates the security of an IMD to a pers onal Inalterability: In the U.S. alone, there are millions of people who • . The shield uses a novel radio design shield base station called the already have wireless IMDs, and about 300,000 such IMDs are that can act as a jammer-cum-receiver. This design allows it to jam to implanted every year [58]. Once implanted, an IMD can last up ile the IMD’s messages, preventing others from decoding them wh 10 years [14], and replacing it requires surgery that carrie s risks jam being able to decode them itself. It also allows the shield to of major complications. Incorporating cryptographic mech anims ld’s unauthorized commands—even those that try to alter the shie into existing IMDs may be infeasible because of limited devi ce own transmissions. We implement our design in a software rad io memory and hence can only be achieved by replacing the IMDs. ely and evaluate it with commercial IMDs. We find that it effectiv This is not an option for people who have IMDs or may acquire MD from provides confidentiality for private data and protects the I them in the near future. unauthorized commands. Safety: • It is crucial to ensure that health care professionals al- if ways have immediate access to an implanted device. However, Categories and Subject Descriptors Computer C.2.2 [ - cryptographic methods are embedded in the IMD itself, the de Systems Organization ]: Computer-Communications Networks vice may deny a health care provider access unless she has the Algorithms, Design, Performance, Security General Terms in sce- right credentials. Yet, credentials might not be available narios where the patient is at a different hospital, the pati ent is Full-duplex, Implanted Medical Devices, Wireless Keywords un- unconscious, or the cryptographic key storage is damaged or ble an reachable [22, 31]. Inability to temporarily adjust or disa 1 IMD could prove fatal in emergency situations. 1. INTRODUCTION Software bugs are particularly problematic for Maintainability: • IMDs because they can lead to device recalls. In the last eigh t d net- The past few years have produced innovative health-oriente re re- years, about 1.5 million software-based medical devices we from working and wireless communication technologies, ranging called [15]. Between 1999 and 2005, the number of recalls of low-power medical radios that harvest body energy [27] to wi reless software-based medical devices more than doubled; more tha n 5]. To- sensor networks for in-home monitoring and diagnosis [51, 5 re 11% of all medical-device recalls during this time period we any day, such wireless systems have become an intrinsic part of m ly and attributed to software failures [15]. Such recalls are cost dical modern medical devices [39]. In particular, implantable me s, it could require surgery if the model is already implanted. Thu ors, in- devices (IMDs), including pacemakers, cardiac defibrillat sary is desirable to limit IMDs’ software to only medically neces sulin pumps, and neurostimulators all feature wireless com munica- functions. tion [39]. Adding wireless connectivity to IMDs has enabled remote This paper explores the feasibility of protecting IMDs without by implementing security mechanisms entirely on modifying them an external device. Such an approach enhances the security o f IMDs s work for Permission to make digital or hard copies of all or part of thi nel for patients who already have them, empowers medical person personal or classroom use is granted without fee provided th at copies are to access a protected IMD by removing the external device or p ow- d that copies not made or distributed for profit or commercial advantage an y otherwise, to bear this notice and the full citation on the first page. To cop ering it off, and does not in itself increase the risk of IMD re calls. republish, to post on servers or to redistribute to lists, re quires prior specific 1 Note that distributing the credentials widely beyond the pa tient’s primary health care permission and/or a fee. providers increases the probability of the key being leaked and presents a major key August 15–19, 2011, Toronto, Ontario, Canada. SIGCOMM’11, revocation problem. Copyright 2011 ACM 978-1-4503-0797-0/11/08 ...$10.00.

2 diac resynchronization therapy device (CRT) [36]. Our eval uation We present a design in which an external device, called the reveals the following: , is interposed between the IMD and potential counter- shield parties—e.g., worn on the body near an implanted device. The • When the shield is present, it jams the IMD’s messages, causi ng shield acts as a gateway that relays messages between the IMD and ror even nearby (20 cm away) eavesdroppers to experience a bit er authorized endpoints. It uses a novel physical-layer mecha nism to rate of nearly 50%, which is no better than a random guess. cryp- secure its communication with the IMD, and it uses a standard de- When the shield jams the IMD’s packets, it can still reliably • tographic channel to communicate with other authorized end points. code them (the packet loss rate is 0.2%, which is negligible) . We sive The shield counters two classes of adversarial actions: pas conclude that the shield and the IMD share an information cha n- eavesdropping that threatens the confidentiality of the IMD ’s trans- nel that is inaccessible to other parties. missions, and active transmission of unauthorized radio co mmands When the shield is absent, the IMD replies to unauthorized co m- • to the IMD. First, to provide confidentiality for the IMD’s tr ans- mands, even if the adversary is in a non-line-of-sight locat ion issions missions, the shield continuously listens for those transm more than 14 m away, and uses a commercial device that oper- . and jams them so that they cannot be decoded by eavesdroppers ates in the MICS band and adheres to the FCC power limit. The shield uses a novel radio design to simultaneously recei ve the When the shield is present and has the same transmit power as t he • IMD’s signal and transmit a jamming signal. The shield then t rans- adversary, the IMD does not respond to unauthorized command s, mits the IMD’s signal to an authorized endpoint using standa rd even when the adversary is only 20 cm away. st com- cryptographic techniques. Second, to protect the IMD again • When the shield is absent and an adversary with 100 times the mands from unauthorized endpoints, the shield listens for u nautho- shield’s power transmits unauthorized commands, the IMD re - rized transmissions addressing the IMD and jams them. As a re sult sponds from distances as large as 27 m. When the shield is of jamming, the IMD cannot decode the adversarial transmiss ions, uc- present, however, the high-powered adversary’s attempts s and hence the adversary fails to make the IMD execute an unaut ho- ceed only from distances less than 5 m, and only in line-of- rized command. ver- sight locations. The shield always detects high-powered ad A key challenge that we had to overcome to realize this archit ec- uf- sarial transmissions and raises an alarm. We conclude that s ture is to design a small wearable radio that simultaneously jams mita- ficiently high-powered adversaries present an intrinsic li the IMD’s signal and receives it. We build on prior work in the tion to our physical-layer protection mechanism. However, the e to area of full-duplex radio design, which enables a single nod shield’s presence reduces the adversary’s success range an d in- work re- transmit and receive simultaneously [3, 7]. However, prior pts. forms the patient, raising the bar for the adversary’s attem quires large antenna separation and hence yields large devi ces un- suitable for our application. In particular, state-of-the -art design for The shield is, to our knowledge, the first system that simulta ne- full-duplex radios [3] exploits the property that a signal r everses its protects ously provides confidentiality for IMDs’ transmissions and rom phase every half a wavelength; it transmits the same signal f IMDs against commands from unauthorized parties without requir- two antennas and puts a receive antenna exactly half a wavelength ing any modification to the IMDs themselves . Further, because it closer to one of the transmit antennas than the other. An ante nna e a com- affords physical-layer protection, it may also help provid separation of half a wavelength, however, is unsuitable for our con- ure cryp- plementary defense-in-depth solution to devices that feat h text: the IMDs we consider operate in the 400 MHz band [13] wit ms. tographic or other application-layer protection mechanis as to a wavelength of about 75 cm. A shield that requires the antenn Disclaimer. Operating a jamming device has legal implications that hal- be rigidly separated by exactly half a wavelength (37.5 cm) c mming vary by jurisdiction and frequency band. The definition of ja lenges the notion of wearability and therefore patient acce ptability. also depends on both context and intent. Our experiments wer e con- This paper presents a full-duplex radio that does not impose re- ducted in tightly controlled environments where no patient s were can be strictions on antenna separation or positioning, and hence e with com- present. Further, the intent of a shield is never to interfer built as a small wearable device. Our design uses two antenna s: a munications that do not involve its protected IMD. We recomm end jamming antenna and a receive antenna, placed next to each ot her. that anyone considering deployment of technology based on t his es- The jamming antenna transmits a random signal to prevent eav research consult with their own legal counsel. nstead droppers from decoding the IMD’s transmissions. However, i of relying on a particular positioning to cancel the jamming signal 2. IMD COMMUNICATION PRIMER tane- at the receive antenna, we connect the receive antenna simul ously to both a transmit and a receive chain. We then make the Wireless communication appears in a wide range of IMDs, in- signal that cancels the jamming antidote transmit chain send an cluding those that treat heart failure, diabetes, and Parki nson’s dis- signal at the receive antenna’s front end, allowing it to rec eive the - ease. Older models communicated in the 175 KHz band [22]. How IMD’s signal and decode it. We show both analytically and em- al ever, in 1999, the FCC set aside the 402–405 MHz band for medic pirically that our design delivers its security goals witho ut antenna as implant communication services (MICS) [13]. The MICS band w separation; hence it can be built as a small wearable radio. considered well suited for IMDs because of its internationa l avail- Our design has additional desirable features. Specifically , be- ability for this purpose [10], its signal propagation chara cteristics cause the shield can receive while jamming, it can detect adv er- in the human body, and its range of several meters that allows re- saries who try to alter the shield’s signal to convey unautho rized ion mote monitoring. Modern IMDs communicate medical informat he messages to the IMD. It can also ensure that it stops jamming t a- in the MICS band, though devices may use other bands for activ e de- medium when an adversarial signal ends, allowing legitimat tion (e.g., 2.4 GHz or 175 KHz) [45]. IMDs share the MICS band vices to communicate. with meteorological systems on a secondary basis and should en- We have implemented a prototype of our design on USRP2 soft- sure that their usage of it does not interfere with these syst ems. The l- ware radios [9]. We use 400 MHz daughterboards for compatibi FCC divides the MICS band into multiple channels of 300 KHz ity with the 402–405 MHz Medical Implant Communication Ser- width [13]. A pair of communicating devices uses one of these e vices (MICS) band used by IMDs [13]. We evaluate our prototyp channels. so shield against two modern IMDs, namely the Medtronic Virtuo IMDs typically communicate infrequently with a device call ed to car- implantable cardiac defibrillator (ICD) [37] and the Concer an IMD programmer (hereafter, programmer ). The programmer ini-

3 Chapter 1 in [26] and Chapter 7 in [53]). The IMDs we con- tiates a session with the IMD during which it either queries t he IMD sider operate in the 400 MHz band with a wavelength of about for its data (e.g., patient name, ECG signal) or sends it comm ands 75 cm. Thus, one can defend against a MIMO eavesdropper or (e.g., a treatment modification). By FCC requirement, the IM D does an eavesdropper with a directional antenna by ensuring that the only not normally initiate communications; it transmits in response rom shield is located significantly less than half a wavelength f to a transmission from a programmer [13] or if it detects a lif e- the IMD. For example, if the protected IMD is a pacemaker im- threatening condition [23]. planted near the clavicle, the shield may be implemented as a A programmer and an IMD share the medium with other de- necklace or a brooch, allowing it to sit within a few centimet ers r vices as follows [13]. Before they can use a 300 KHz channel fo of the IMD. ure their session, they must “listen” for a minimum of 10 ms to ens The adversary may be in any location farther away from the IMD • that the channel is unoccupied. Once they find an unoccupied c han- than the shield (e.g., at distances 20 cm and greater). rammer nel, they establish a session and alternate between the prog di- transmitting a query or command, and the IMD responding imme (b) Active adversary: Such an adversary sends unauthorized ra- D ately without sensing the medium [24]. The programmer and IM dio commands to the IMD. These commands may be intended to can keep using the channel until the end of their session, or u n- modify the IMD’s configuration or to trigger the IMD to transm it til they encounter persistent interference, in which case t hey listen ary the fol- unnecessarily, depleting its battery. We allow this advers again to find an unoccupied channel. lowing properties: 3. ASSUMPTIONS AND THREAT MODEL • The adversary may use one of the following approaches to send commands: it may generate its own unauthorized messages; it may record prior messages from other sources and play them 3.1 Assumptions back to the IMD; or it may try to alter an authorized message on We assume that IMDs and authorized programmers are honest the channel, for example, by transmitting at a higher power a nd and follow the protocols specified by the FCC and their manu- causing a capture effect at the IMD [46]. el for facturers. We also assume the availability of a secure chann - • The adversary may use different types of hardware. The adver ld; this transmissions between authorized programmers and the shie sary may transmit with a commercial IMD programmer acquired channel may use the MICS band or other bands. We further assum e from a hospital or elsewhere. Such an approach does not requi re that the shield is a wearable device located close to the IMD, such as ’s the adversary to know the technical specifications of the IMD a necklace. Wearable medical devices are common in the medic al r, an communication or to reverse-engineer its protocol. Howeve industry [34, 49]. We also assume that the adversary does not phys- adversary that simply uses an unmodified commercial IMD pro- ically try to remove the shield or damage it. We assume that le giti- grammer cannot use a transmit power higher than that allowed mate messages sent to an IMD have a checksum and that the IMD by the FCC. Alternatively, a more sophisticated adversary m ight will discard any message that fails the checksum test. This l atter reverse-engineer the IMD’s communication protocol, then m od- aware assumption is satisfied by all wireless protocols that we are ify the IMD programmer’s hardware or use his own radio trans- y, of, including the ones used by the IMDs we tested (§9). Finall mitter to send commands. In this case, the adversary can cus- ons we assume that the IMD does not normally initiate transmissi tomize the hardware to transmit at a higher power than the FCC (in accordance with FCC rules [13]); if the IMD initiates a tr ans- allows. Further, the adversary may use MIMO or directional a n- e make no mission because it detects a life-threatening condition, w tennas. Analogous to the above, however, MIMO beamforming attempt to protect the confidentiality of that transmission . and directional antennas require the two receivers to be sep arated by a minimum of half a wavelength (37 cm in the MICS band), 3.2 Threat Model and hence can be countered by keeping the shield in close prox - We address two classes of commonly considered radio-equipp ed imity to the IMD. adversaries: passive eavesdroppers that threaten the confi dentiality • The adversary may be in any location farther away from the IMD empt to of the IMD’s transmissions, and active adversaries that att than the shield. send unauthorized radio commands to the IMD [15, 32]. Such an adversary eavesdrops on the (a) Passive eavesdropper: 4. SYSTEM OVERVIEW wireless medium and listens for an IMD’s transmissions. Spe cifi- To achieve our design goal of protecting an IMD without modi- cally, we consider an adversary with the following properti es: shield fying it, we design a device called the that sits near the IMD m- and acts as a proxy. An authorized programmer that wants to co The adversary may try different decoding strategies. It may con- • municate with the IMD instead exchanges its messages with th e sider the jamming signal as noise and try to decode in the pres - shield, which relays them to the IMD and sends back the IMD’s r e- nce ence of jamming. Alternatively, it can implement interfere en- sponses, as shown in Fig. 1. We assume the existence of an auth sly de- cancellation or joint decoding in an attempt to simultaneou ammer. ticated, encrypted channel between the shield and the progr , code the jamming signal and the IMD’s transmission. However out-of- This channel can be established using either in-band [19] or cod- basic results in multi-user information theory show that de band solutions [28]. ing multiple signals is impossible if the total information rate is The shield actively prevents device other than itself from any tion outside the capacity region [53]. We ensure that the informa s- communicating directly with the IMD. It does so by jamming me rate at the eavesdropper exceeds the capacity region by maki ng bility sages sent to and from the IMD. Key to the shield’s role is its a the shield jam at an excessively high rate; the jamming signa l is to act as a jammer-cum-receiver, which enables it to jam the I MD’s random and sent without modulation or coding. transmissions and prevent others from decoding them, while still t • The adversary may use standard or custom-built equipment. I o de- being able to decode them itself. It also enables the shield t may also use MIMO systems and directional antennas to try to tect scenarios in which an adversary tries to overpower the s hield’s separate the jamming signal from the IMD’s signal. MIMO and own transmissions to create a capture effect on the IMD and de - rans- directional antenna techniques, however, require the two t liver an unauthorized message. By proxying IMD communicati ons mitters to be separated by more than half a wavelength (see

4 and an antidote ( t ) on its receive antenna, the shield can receive x signals transmitted by other nodes while jamming the medium . Next, we show that the antidote cancels the jamming signal on ly at the shield’s receive antenna, and no other location. Let H l jam → H be the channels from the shield’s jamming and receive and rec → l antennas, respectively, to the adversary’s location l . An antenna po- Communication Communication Encrypted Encrypted receives the combined signal: l sitioned at IMD Programmer Shield The shield Protecting an IMD without modifying it: — Figure 1 y ) t ) + (3) ( t ) = H j ( t ( H x → l rec → l jam o- jams any direct communication with the IMD. An authorized pr H jam → rec ith grammer communicates with the IMD only through the shield, w H − H = ( ) ( t ) . (4) j → rec l l jam → which it establishes a secure channel. H self l , the follow- For the jamming signal to be cancelled out at location Jamming Signal ing must be satisfied: Antidote Signal b H H l → jam jam rec → j(t) x(t) a . = (5) H H self rec → l Baseband to Baseband to Baseband to n n n n n n Passband Passband Passband nsures Locating the shield’s two antennas very close to each other e Shield the attenuation from the two antennas is com- l that at any location ive Chai DAC ADC DAC smit Chai smit Chai e e H → jam l parable, i.e., | 1 (see Chapter 7 in [53] for a detailed anal- |≈ H → l rec Rec Tran Tran H → jam rec Encoder Encoder Decoder is the attenuation on the H | |≪ 1; | | ysis). In contrast, self H self short wire between the transmit and receive chains in the rec eive Figure 2 uses two antennas: — The jammer-cum-receiver design tween antenna, which is significantly less than the attenuation be ceive a jamming antenna that transmits the jamming signal, and a re the two antennas that additionally have to go on the air [17]. For antenna. The receive antenna is connected to both a transmit and H rec → jam | example, in our USRP2 prototype, the ratio |≈− 27 dB. receive chain. The antidote signal is transmitted from the t ransmit H self chain to cancel out the jamming signal in the receive chain. Thus, the above condition is physically infeasible, and can celling ancel the jamming signal at the shield’s receive antenna does not c without requiring patients to interact directly with the sh ield, our it at any other location. design aligns with IMD industry trends toward wireless, tim e- and We note several ancillary properties of our design: location-independent patient monitoring. The next sections explain the jammer-cum-receiver’s desig n, im- • Off- Transmit and receive chains connected to the same antenna: plementation, and use against passive and active adversari es. the-shelf radios such as the USRP [9] have both a receive and a n- transmit chain connected to the same antenna; they can in pri 5. JAMMER-CUM-RECEIVER na. ciple transmit and receive simultaneously on the same anten A jammer-cum-receiver naturally needs to transmit and rece ive Traditional systems cannot exploit this property, however , be- simultaneously. This section presents a design for such a fu ll- vent- cause the transmit signal overpowers the receive chain, pre duplex radio. Our design has two key features: First, it impo ses no - ing the antenna from decoding any signal but its own transmis evice. size restrictions and hence can be built as a small wearable d sion. When the jamming signal and the antidote signal cancel ceive Second, it cancels the jamming signal only at the device’s re each other, the interference is cancelled and the antenna ca n re- antenna and at no other point in space—a necessary requireme nt ceive from other nodes while transmitting. for our application. • Antenna cancellation vs. analog and digital cancellation: Can- Our design, shown in Fig. 2, uses two antennas: a jamming an- celling the jamming signal with an antidote is a form of an- tenna and a receive antenna. The jamming antenna transmits a ran- heme tenna cancellation. Thus, as in the antenna cancellation sc dom jamming signal. The receive antenna is simultaneously c on- by Choi et al. [3], one can improve performance using hardwar e nected to both a transmit and a receive chain. The transmit ch ain nput components such as analog cancelers [43]. In this case, the i sends an antidote signal that cancels the jamming signal at t he re- b in Fig. 2; to the analog canceler will be taken from points a and eceive ceive antenna’s front end, allowing the receive antenna to r in. the output will be fed to the passband filter in the receive cha any signal without disruption from its own jamming signal. • Channel estimation: Computing the antidote in equation 2 re- The antidote signal can be computed as follows. Let ( ) j be the t quires knowing the channels and H H . The shield esti- self → jam rec jamming signal and x ( t ) be the self- be the antidote. Let H self ion mates these channels using two methods. First, during a sess looping channel on the receive antenna (i.e., the channel fr om with the IMD, the shield measures the channels immediately b e- nd the transmit chain to the receive chain on the same antenna) a fore it transmits to the IMD or jams the IMD’s transmission. H the channel from the jamming antenna to the receive an- → rec jam In the absence of an IMD session the shield periodically (ev- tenna. The signal received by the shield’s receive antenna i s: g a ery 200 ms in our prototype) estimates this channel by sendin probe. Since the shield’s two antennas are close to each othe r, the t ) + t ( j (1) ( ) H ) = t ( y x . H jam → self rec e probe can be sent at a low power to allow other nodes to leverag dote To cancel the jamming signal at the receive antenna, the anti spatial reuse to concurrently access the medium. must satisfy: • Our discussion has been focused on narrow- Wideband channels: d band channels. However, the same description can be extende H rec → jam x ( t − ) = (2) ( t ) . j to work with wideband channels which exhibit multipath effe cts. H self Specifically, such channels use OFDM, which divides the band - width into orthogonal subcarriers and treats each of the sub carri- on its jamming antenna ) t j Thus, by transmitting a random signal (

5 (a) Without jamming Virtuoso ICD Power Profile -100 -50 0 50 100 150 -150 Frequency (kHz) Figure 4 — The frequency profile of the FSK signal captured from a Virtuoso cardiac defibrillator shows that most of the en- ± ergy is concentrated around 50 KHz. IMD Power Profile Constant Power Profile (b) With jamming Shaped Power Profile Figure 3 — Typical interaction between the Virtuoso IMD and its programmer: Without jamming (a), the IMD transmits in re- he sponse to an interrogation. The bottom graph (b) shows that t IMD transmits within a fixed interval without sensing the med ium. ers as if it was an independent narrowband channel. Our model 2 Jamming Power Profile naturally fits in this context. 0 -50 -100 -150 150 100 50 Frequency (kHz) 6. VERSUS PASSIVE EAVESDROPPERS Shaping the jamming signal’s profile to match an — Figure 5 he To preserve the confidentiality of an IMD’s transmissions, t IMD’s allows the shield to focus its jamming power on the fre- ss shield jams the IMD’s signal on the channel. Since the wirele quencies that matter for decoding, as opposed to jamming acr oss mitted channel creates linear combinations of concurrently trans the entire 300 KHz channel. time signals, jamming with a random signal provides a form of one- rypt pad, where only entities that know the jamming signal can dec sing While jamming, the shield receives the signal on the medium u e jam- the IMD’s data [50]. The shield leverages its knowledge of th P ) + ( T − milliseconds. T its receive antenna. The shield jams for 1 2 ming signal and its jammer-cum-receiver capability to rece ive the Additionally, to deal with scenarios in which the IMD may tra ns- IMD’s data in the presence of jamming. ts abil- mit in response to an unauthorized message, the shield uses i s ev- To realize our design goal, the shield must ensure that it jam ity to detect active adversaries that might succeed at deliv ering a ery packet transmitted by the IMD. To this end, the shield lev erages message to the IMD (see §7(d)). Whenever such an adversary is two properties of MICS-band IMD communications [13, 24]: detected, the shield uses the same algorithm above, as if the mes- sage were sent to the IMD by the shield itself. • An IMD does not transmit except in a response to a message We note that each shield should calibrate the above paramete rs from a programmer. The shield can listen for programmer tran s- er, the for its own IMD. In particular, for the IMDs tested in this pap . missions and anticipate when the IMD may start transmitting above parameters are as follows: 3.7 ms, and = 2.8 ms, T = T 1 2 An IMD transmits in response to a message from a programmer • 21 ms. = P he without sensing the medium. This allows the shield to bound t Our design of the shield sets three sub-goals: interval during which the IMD replies after receiving a mess age. (a) Maximize jamming efficiency for a given power budget: It Fig. 3 shows an example exchange between a Medtronic Virtu- nal is important to match the frequency profile of the jamming sig oso implantable cardiac defibrillator (ICD) and a programme r (in and to the frequency profile of the jammed signal [30]. To underst this case, a USRP). Fig. 3(a) shows that the Virtuoso transmi ts in brilla- this issue, consider the example of the Virtuoso cardiac defi response to a programmer’s message after a fixed interval (3. 5 ms). . tor. This device operates over a channel bandwidth of 300 KHz e To check that the Virtuoso indeed does not sense the medium, w d at However, it uses FSK modulation where a ‘0’ bit is transmitte made the programmer USRP transmit a message to the Virtuoso a nd and a ‘1’ bit is transmitted at a different frequency one frequency f 0 within 1 ms transmit another random message. Fig. 3(b) plots the f . Fig. 4 shows the frequency profile of the FSK signal captured 1 resulting signal and shows that the Virtuoso still transmit ted after from a Virtuoso cardiac defibrillator. A jammer might create a jam- the same fixed interval even though the medium was occupied. ency- ming signal over the entire 300 KHz. However, since the frequ Given the above properties, the shield uses the following al go- domain representation of the received FSK signal has most of its T and be the lower T rithm to jam the IMD’s transmissions. Let 2 1 , an adversary can eliminate f energy concentrated around f and 1 0 and upper bounds on the time that the IMD takes to respond to a en- most of the jamming signal by applying two band-pass filters c be the IMD’s maximum packet duration. When- P message, and let tered on . and f f 1 0 he ever the shield sends a message to the IMD, it starts jamming t re of Therefore, an effective jammer should consider the structu T medium exactly milliseconds after the end of its transmission. 1 the IMD’s signal when crafting the jamming signal, shaping t he amount of energy it puts in each frequency according to the fr e- 2 d apply an equal- More generally, one could compute the multi-path channel an file quency profile of the IMD signal. Fig. 5 compares the power pro izer [18] on the time-domain antidote signal that inverts th e multi-path of the jamming an of a jamming signal that is shaped to fit the signal in Fig. 4 and signal.

6 the BER at the adversary while maintaining a low BER at the shi eld, oblivious jamming signal that uses a constant power profile. The one needs to increase G , which is the amount of jamming power er figure shows that the shaped signal has increased jamming pow cancelled at the shield’s receive antenna. We refer to G as the SINR in frequencies that matter for decoding. between the shield and the adversary. gap To shape its jamming signal appropriately, the shield gener ates We show in §10.1 that for the tested IMDs, an SINR gap of the jamming signal by taking multiple random white Gaussian G = 32 dB suffices to provide a BER of nearly 50% at the adver- uency noise signals and assigning each of them to a particular freq sary (reducing the adversary to guessing) while maintainin g reliable bin in the 300 KHz MICS channel. The shield sets the variance o f packet delivery at the shield. wer the white Gaussian noise in each frequency bin to match the po ency profile resulting from the IMD’s FSK modulation in that frequ bin. We then take the IFFT of all the Gaussian signals to gener ate 7. VERSUS ACTIVE ADVERSARIES the time-domain jamming signal. This process generates a ra ndom Next, we explain our approach for countering active adversa ries. o- jamming signal that has a power profile similar to the power pr At a high level, the shield detects unauthorized packets and jams tude file generated by IMD modulation. The shield scales the ampli rized them. The jamming signal combines linearly with the unautho he of the jamming signal to match its hardware’s power budget. T ores signal, causing random bit flips during decoding. The IMD ign shield also compensates for any carrier frequency offset be tween its these packets because they fail its checksum test. RF chain and that of the IMD. identi- The exact active jamming algorithm follows. Let S be an id To ensure (b) Ensure independence of eavesdropper location: fying sequence , i.e., a sequence of m bits that is always used to iden- te (BER) confidentiality, the shield must maintain a high bit error ra includes the packets’ physical- tify packets destined to the IMD. S id independent of the adversary’s location. The at the adversary, layer preamble and the subsequent header. When the shield is not BER at the adversary, however, strictly depends on its signa l-to- cts a sig- transmitting, it constantly monitors the medium. If it dete [17]. To show that the BER at interference-and-noise ratio, SINR A oded nal on the medium, it proceeds to decode it. For each newly dec e SINR the adversary is independent of its location, we show that th m decoded bits against the identifying bit, the shield checks the last at the adversary is independent of its location. S . If the two sequences differ by fewer than a thresh- sequence id P Suppose the IMD transmits its signal at a power dB and the i old number of bits, , the shield jams the signal until the signal b thresh shield transmits the jamming signal at a power dB. The IMD’s P j stops and the medium becomes idle again. he ad- signal and the jamming signal will experience a pathloss to t m The shield also uses its receive antenna to monitor the mediu versary of and , respectively. Thus, the SINR at the adversary L L j i while transmitting. However, in this case, if it detects a si gnal con- can be written in dB as: current to its transmission, it switches from transmission to jam- in. ming and continues jamming until the medium becomes idle aga (6) SINR − L − N P ( − ) , L − ) P = ( j A j i i A cking The reason the shield jams any concurrent signal without che is the noise in the adversary’s hardware. Since equation 6 where N A is to ensure that an adversary cannot successfully alter the S for id is written in a logarithmic scale, the pathlosses translate into sub- o- shield’s own message on the channel in order to send an unauth tractions. rized message to the IMD. The pathloss from the IMD to the adversary can be expressed We note five subtle design points: n the as the sum of the pathloss that the IMD’s signal experiences i Our algorithm relies on the (a) Choosing identifying sequences: body and on the air, i.e., L = L L [39]. Since the shield and + i body air identifying sequence in order to identify transmissions destined S id n the air the IMD are close together, the pathlosses they experience o ng a for the protected IMD. We therefore desire a method of choosi [53]. L ≈ L to the adversary are approximately the same—i.e., j air S per-device based on unique device characteristics. Fortunately, id Thus, we can rewrite equation 6 as: IMDs already bear unique identifying characteristics. For example, N . − P − ) L − P = ( SINR (7) the Medtronic IMDs that we tested (the Virtuoso ICD and the Co n- i j A A body d certo CRT) use FSK modulation, a known preamble, a header, an is independent of the adver- The above equation shows that SINR A the device’s ID, i.e., its 10-byte serial number. More gener ally, each power sary’s location and can be controlled by setting the jamming wireless device has an FCC ID, which allows the designer to lo ok P t the to an appropriate value. This directly implies that the BER a j od- up the device in the FCC database and verify its modulation, c adversary is independent of its location. 3 One can use these specifica- ing, frequency and power profile [12]. Sim- (c) SINR tradeoff between the shield and the adversary: tions to choose an appropriate identifying sequence. Furth ermore, ilarly to how we computed the SINR of an eavesdropper, we can once in a session, the IMD locks on to a unique channel, to rece ive compute the SINR of the shield (in dB) as: d any future commands. Since other IMD–programmer pairs avoi cify occupied channels, this channel ID can be used to further spe − ) G − (8) , ( − ) P L − N P = ( SINR i S j G body the target IMD. N is the thermal noise on the shield and where is the reduction in G G b (b) Setting the threshold If an adversary can transmit a sig- : thresh the jamming signal power at the receive antenna due to the ant idote. than nal and force the shield to experience a bit error rate higher The above equation simply states that SINR is the IMD power S the IMD’s, it may prevent the shield from jamming an unautho- ation, after subtracting the pathloss due mainly to in-body propag s. rized command that the IMD successfully decodes and execute the residual of the jamming power ( P − ), and the noise. G j , for However, we argue that such adversarial success is unlikely Note that if one ignores the noise on the shield’s receive an- two reasons. First, because the signal goes through body tis sue, the mpar- tenna and the adversary’s device (which are negligible in co as IMD experiences an additional pathloss that could be as high n the ison to the other terms), one can express the relation betwee ignal 40 dB [47], and hence it naturally experiences a much weaker s two SINRs using a simple equation: than the shield. Second, the IMD uses a harder constraint to a ccept a packet than the constraint the shield uses to jam a packet. S pecif- . (9) SINR SINR + G = A S ically, the IMD requires that all bits be correct to pass a che cksum, This simplified view reveals an intrinsic tradeoff between t he SINR 3 at the shield and the adversary, and hence their BERs. To incr ease For example, the FCC ID LF5MICS refers to Medtronic IMDs we tested.

7 while the shield tolerates some differences (up to b bits) be- thresh Sh i eld tween the identifying sequence and the received one. We desc ribe 10 IMD 6 our empirical method of choosing b in §10.1(c). thresh dversary A It is important to realize that (c) Customizing for the MICS band: 2 5 n the shield can listen to the entire 3 MHz MICS band, transmit i 6.92 1 tinue all or any subset of the channels in this band, and further con 3 in 4 7 11 of the to listen to the whole band as it is transmitting in any subset 9 channels. It is fairly simple to build such a device by making the 8 12 radio front end as wide as 3 MHz and equipping the device with per-channel filters. This enables the shield to process the s ignals 14 13 18 from all channels in the MICS band simultaneously. 17 15 16 The shield uses this capability to monitor the entire 3 MHz MI CS 8. 8. 8. 8. 8.92 8. 9 9 9 9 92 in in in in n n band because an adversary can transmit to the IMD on any chann el in the band. This monitoring allows the shield to detect and c ounter — Figure 6 showing shield, IMD, and adversary lo- Testbed setup ed here cations. We experiment with 18 adversary locations, number adversarial transmissions even if the adversary uses frequ ency hop- in descending order of received signal strength at the shiel d. ping or transmits in multiple channels simultaneously to tr y to con- he fuse the shield. The shield jams any given 300 KHz channel if t ribed in channel contains a signal that matches the constraints desc Our design for a two-antenna jammer-cum-receiver requires the the active jamming algorithm. a receive antenna to be always connected to both a transmit and nsmit receive chain. To enable the shield’s receive antenna to tra The shield must adhere to the (d) Complying with FCC rules: and receive simultaneously, we turn off the USRP RX/TX switc h, FCC power limit even when jamming an adversary. However, as to the which leaves both the transmit and receive chains connected explained in §3, a sophisticated adversary may use a transmi ssion atr_txval=MIX_EN antenna all the time. Specifically, we set power much higher than the FCC limit. In such cases, the adver - and in the TX chain, and we set atr_rxval=ANT_SW sary will be able to deliver its packet to the IMD despite jamm ing. and atr_txval=MIX_EN in the RX atr_rxval=MIX_EN high- However, the shield is still useful because it can detect the p chain, in the USRP2’s firmware and FPGA code. Finally, we equi powered adversary in real time and raise an alarm to attract t he es so the shield with FSK modulation and demodulation capabiliti attention of the patient or a caregiver. Such alarms may be si milar that it can communicate with an IMD. to a cell phone alarm, i.e., the shield may beep or vibrate. It is de- sirable to have a low false positive rate for such an alarm. To that end, we calibrate the shield with an IMD to find the minimum ad- 9. TESTING ENVIRONMENT e IMD versarial transmit power that can trigger a response from th Our experiments use the following devices: P despite jamming. We call this value . When the shield detects thresh a potentially adversarial transmission, it checks whether the signal Medtronic Virtuoso DR implantable cardiac defibrillators • , in which case it raises an alarm. P power exceeds (ICDs) [37]. thresh Finally, we note that when the shield detects a high-powered ac- • vice A Medtronic Concerto cardiac resynchronization therapy de dversary tive adversary, it also considers the possibility that the a (CRT) [36]. ata. will send a message that triggers the IMD to send its private d A Medtronic Vitatron Carelink 2090 Programmer [35]. • hm: in In this case, the shield applies the passive jamming algorit • USRP2 software radio boards [9]. addition to jamming the adversary’s high-powered message, it jams experiments, the ICD and CRT play the role of the in vitro In our the medium afterward as detailed in §6. protected IMD. The USRP devices play the roles of the shield, the (e) Battery life of the shield: Since jamming consumes power, one adversary, and legitimate users of the MICS band. We use the p ro- may wonder how often the shield needs to be charged. In the ab- ecords grammer off-line with our active adversary; the adversary r sence of attacks, the shield jams only the IMD’s transmissio ns, and the programmer’s transmissions in order to replay them late r. Ana- hence transmits approximately as often as the IMD. IMDs are t yp- , reducing log replaying of these captured signals doubles their noise ically nonrechargeable power-limited devices that do not t ransmit modu- the adversary’s probability of success, so the adversary de frequently [11]. Thus, in this mode of operation, we do not ex pect to re- lates the programmer’s FSK signal into the transmitted bits the battery of the shield to be an issue. When the IMD is under a n move the channel noise. The adversary then re-modulates the bits active attack, the shield will have to transmit as often as th e adver- to obtain a clean version of the signal to transmit to the IMD. mit sary. However, since the shield transmits at the FCC power li n a hu- Fig. 6 depicts the testing setup. To simulate implantation i for the MICS band, it can last for a day or longer even if transm it- th man, we followed prior work [22] and implanted each IMD benea ting continuously. For example, wearable heart rate monito rs that 1 cm of bacon, with 4 cm of 85% lean ground beef packed under- . continuously transmit ECG signals can last 24–48 hours [57] neath. We placed the shield next to the IMD on the bacon’s surf ace etween to simulate a necklace. We varied the adversary’s location b 20 cm and 30 m, as shown in the figure. 8. IMPLEMENTATION We implement a proof-of-concept prototype shield with GNU 10. EVALUATION ’s Radio and USRP2 hardware [9, 16]. The prototype uses the USRP RFX400 daughterboards, which operate in the MICS band [13]. We evaluate our prototype of a shield against commercially a vail- me The USRP2 does not support multiple daughterboards on the sa able IMDs. We show that the shield effectively protects the c on- motherboard, so we implement a two-antenna shield with two fidentiality of the IMD’s messages and defends the IMD agains t USRP2 radio boards connected via an external clock [25] so th at commands from unauthorized parties. We experiment with bot h the xt to they act as a single node. The two antennas are placed right ne Virtuoso ICD and the Concerto CRT. However, since the two IMD s each other. did not show any significant difference, we combine the exper imen-

8 0.6 1 0.5 0.8 0.4 BER = 0.5 0.6 0.3 CDF 0.4 0.2 0.2 0.1 BER at the Adversary 0 0 36 38 22 40 20 26 28 30 0 5 10 15 20 25 32 34 24 Nulling of the Jamming Signal (dB) Jamming Power relative to IMD Power (dB) (a) Adversary’s BER vs. jamming power — Figure 7 The antidote signal reduces the Antenna cancellation: 0.2 jamming signal by 32 dB on average. 0.15 tal results from both devices and present them together. Our results 0.1 can be summarized as follows. 0.05 PER = 0.002 ut In practice, our antenna cancellation design can cancel abo • 32 dB of the jamming signal at the receive antenna (§10.1(a)) . Packet Loss at Shield 0 nce This result shows that our design achieves similar performa 5 15 20 0 25 10 k [3], to the antenna cancellation algorithm proposed in prior wor Jamming Power relative to IMD Power (dB) but without requiring a large antenna separation. (b) Shield’s PER vs. jamming power Setting the shield’s jamming power 20 dB higher than the IMD’ s • ate at received power allows the shield to achieve a high bit error r — Figure 8 Tradeoff between BER at the eavesdropper and reli- code the adversarial locations while still being able to reliably de able decoding at the shield: If the shield sets its jamming power IMD’s transmissions (§10.1(b)). The shield’s increased po wer 20 dB higher than the power it receives from the IMD, it can en- ely sure that an eavesdropper sees a BER around 50% (a)—effectiv still complies with FCC rules in the MICS band since the trans - cket reducing the eavesdropper to guessing—while keeping the pa mit power of implanted devices is 20 dB less than the transmit loss rate (PER) at the shield as low as 0.2% (b). power for devices outside the body [40, 41]. • With the above setting, the bit error rate at a passive eavesd rop- per is nearly 50% at all tested locations—i.e., an eavesdrop ping mance to algorithm introduced in this paper achieves similar perfor adversary’s decoding efforts are no more effective than ran dom 3], but the antenna cancellation algorithm proposed by Choi et al. [ 4 guessing. Further, even while jamming, the shield can relia bly without requiring a large antenna separation. decode the IMD’s packets with a packet loss rate less than 0.2 %. (b) Tradeoffs between eavesdropper error and shield error: The We conclude that the shield and the IMD share an information e an- aforementioned 32 dB of cancellation at the shield’s receiv channel inaccessible to other parties (§10.2). he tenna naturally sets an upper bound on the jamming power: if t - When the shield is present and active, an adversary using off • hield will residual error after jamming cancellation is too high, the s the-shelf IMD programmers cannot elicit a response from the fail to decode the IMD’s data properly. protected IMD even from distances as small as 20 cm. A more e er- To explore the tradeoff between the error at the shield and th sophisticated adversary that transmits at 100 times the shi eld’s lace ror at an eavesdropper, we run the following experiment. We p power successfully elicits IMD responses only at distances less the IMD and the shield at their marked locations in Fig. 6, and we than 5 meters, and only in line-of-sight locations. Further , the place a USRP eavesdropper 20 cm away from the IMD at loca- s an shield detects these high-powered transmissions and raise tion 1. In each run of the experiment, the shield repeatedly t rig- alarm. We conclude that the shield significantly raises the b ar its gers the IMD to transmit the same packet. The shield also uses for such high-powered adversarial transmissions (§10.3). jammer-cum-receiver capability to simultaneously jam and decode ack- the IMD’s packets. The eavesdropper tries to decode the IMD p 10.1 Micro-Benchmark Results ets, in the presence of jamming, using an optimal FSK decoder [38]. In this section, we calibrate the parameters of the shield an d ex- Fig. 8(a) plots the eavesdropper’s BER as a function of the amine the performance of its components. tu- shield’s jamming power. Since the required jamming power na rally depends on the power of the jammed IMD’s signal, the x-a xis (a) Antenna cancellation: We first evaluate the performance of the he sig- reports the shield’s jamming power relative to the power of t nds an antenna cancellation algorithm in §5, in which the shield se d nal it receives from the IMD. The figure shows that if the shiel antidote signal to cancel the jamming signal on its receive a ntenna. sets its jamming power 20 dB higher than the power of the signa l it ts In this experiment, the shield transmits a random signal on i h receives from the IMD, the BER at an eavesdropper is 50%, whic jamming antenna and the corresponding antidote on its recei ve an- l than means the eavesdropper’s decoding task is no more successfu tenna. In each run, it transmits 100 Kb without the antidote, fol- random guessing. er lowed by 100 Kb with the antidote. We compute the received pow Next, we check that the above setting allows the shield to rel iably ference at the receive antenna with and without the antidote. The dif decode the IMD’s packets. As above, Fig. 8(b) plots the shiel d’s ing in received power between the two trials is the amount of jamm o the packet loss rate as a function of its jamming power relative t te. cancellation resulting from the transmission of the antido le Fig. 7 shows the CDF of the amount of cancellation over multip 4 Choi et al. [3] also combine antenna cancellation with analo g and digital cancella- n jam- runs of the experiment. It shows that the average reduction i tion to obtain a total cancellation of 60 dB at the receive ant enna. However, we show ming power is about 32 dB. The figure also shows that the varian ce in §10.2 that for our purposes, a cancellation of 32 dB suffice s to achieve our goal of cellation of this value is small. This result shows that the antenna can high reliability at the shield and nearly 50% BER at the adver sary.

9 P Adversary power 11.1 dBm : Minimum − thresh 1 that elicits IMD response Average 4.5 dBm − 0.8 3.5 dBm Standard Deviation 0.6 Table 1 —Adversarial RSSI that elicits IMD responses despite the shield’s jamming. CDF 0.4 0.2 power of the signal it receives from the IMD. The figure shows 0 that if the shield’s jamming power is 20 dB higher than the IMD ’s 0.3 0.7 0 0.1 0.2 1 0.4 0.5 0.6 0.9 0.8 hat power, the packet loss rate is no more than 0.2%. We conclude t BER at the Adversary this jamming power achieves both a high error rate at the eave s- dropper and reliable decoding at the shield. CDF of an eavesdropper’s BER over all eavesdrop- Figure 9 — still We note that the shield’s increased power, described above, per locations in Fig. 6: At all locations, the eavesdropper’s BER complies with FCC rules on power usage in the MICS band becaus e ul is nearly 50%, which makes its decoding task no more successf n than random guessing. The low variance in the CDF shows that a max- the transmit power of implanted devices is 20 dB less than the eavesdropper’s BER is independent of its location. imum allowed transmit power for devices outside the body [40 , 41]. (c) Setting the jamming parameters: Next we calibrate the jam- 1 ming parameters for countering active adversaries. The shi eld must 0.8 jam unauthorized packets sent to the IMD it protects. It must jam these packets even if it receives them with some bit errors, b ecause 0.6 re- they might otherwise be received correctly at the IMD. We the CDF 0.4 b , on the number of fore empirically estimate an upper bound, thresh 0.2 bit flips an IMD accepts in an adversary’s packet header. The s hield . uses this upper bound to identify packets that must be jammed 0 , we perform the following experiment. First, b To estimate thresh 0.02 0.025 0.015 0.01 0.005 0 a USRP transmits unauthorized commands to the IMD to trigger Packet Loss at the Shield tions it to send patient data. We repeat the experiment for all loca Figure 10 — Packet loss at the shield: When the shield is jamming, in Fig. 6. The shield stays in its marked location in Fig. 6, bu t its e- it experiences an average packet loss rate of only 0.2% when r jamming capability is turned off. However, the shield logs a ll of the liably ceiving the IMD’s packets. We conclude that the shield can re kets packets transmitted by the IMD as well as the adversarial pac decode the IMD’s transmissions despite jamming. ckets that triggered them. We process these logs offline and, for pa that successfully triggered an IMD response despite contai ning bit eaves- IMD’s transmissions from an eavesdropper regardless of the ur errors, we count the number of bit flips in the packet header. O dropper’s location. results show that it is unlikely that a packet will have bit er rors at For the same experiment, Fig. 10 plots a CDF of the packet loss the shield but still be received correctly by the IMD. Out of 5 000 the rate of IMD-transmitted packets at the shield. Each point on packets, only three packets showed errors at the shield but s till trig- he x-axis refers to the packet loss rate over 1000 IMD packets. T gered a response from an IMD. The maximum number of bit flips reless average packet loss rate is about 0.2%, considered low for wi b 4. in those packets was 2, so we conservatively set = thresh systems [8]. Such a low loss rate is due to two factors. First, we Next, we measure , the minimum adversary RSSI at the P thresh locate the shield fairly close to the IMD, so it receives the I MD’s shield that can elicit a response from the IMD in the presence of ation signal at a relatively high SNR. Second, the jamming cancell jamming. To do so, we fix the location of the IMD and the shield oss is sufficient to maintain a high SNR that ensures a low packet l as shown in Fig. 6. Again we use a USRP that repeatedly sends s rate. We conclude that the shield can decode the IMD’s packet a command to trigger the IMD to transmit. We fix the adversary i n reliably, even while jamming. location 1 and vary its transmit power. Table 1 reports the mi nimum and average RSSI at the shield’s receive antenna for all pack ets that 10.3 Protecting from Active Adversaries succeeded in triggering the IMD to transmit. We set P 3 dB thresh nt lev- We distinguish between two scenarios representing differe below the minimum RSSI in the table and use that value for all els of adversarial sophistication. In the first, we consider scenarios subsequent experiments. in which the adversary uses an off-the-shelf IMD programmer to send unauthorized commands to the IMD. In the second, a more s o- 10.2 Protecting from Passive Adversaries uses cus- phisticated adversary reverse-engineers the protocol and To evaluate the effectiveness of the shield’s jamming, we ru n an tom hardware to transmit with much higher power than is possi ble o trans- experiment in which the shield repeatedly triggers the IMD t in the first scenario. mit the same packet. The shield also uses its jammer-cum-rec eiver The (a) Adversary that uses a commercial IMD programmer: capability to jam the IMD’s packets while it decodes them. We set simplest way an adversary can send unauthorized commands to an po- the shield’s jamming power as described in §6. In each run, we IMD is to obtain a standard IMD programmer and use its built-i n 6 and sition an eavesdropper at a different location shown in Fig. his radio. Since commercial programmers abide by FCC rules, in t make the IMD send 1000 packets. The eavesdropping adversary rable to scenario, the adversary’s transmission power will be compa attempts to decode the IMD’s packets using an optimal FSK de- et coder [38]. We record the BER at the eavesdropper and the pack that of the shield. loss rate at the shield. Using an IMD programmer we obtained via a popular auction Fig. 9 plots a CDF of the eavesdropper’s BER taken over all website, we play the role of such an active adversary. We use t he R locations in Fig. 6. The CDF shows that the eavesdropper’s BE setup in Fig. 6, fixing the IMD’s and shield’s locations and tr ans- sign is nearly 50% in all tested locations. We conclude that our de mitting unauthorized commands from all the marked location s. As lity of of the shield achieves the goal of protecting the confidentia shown in the figure, we experiment with both line-of-sight an d non-

10 1 1 1 1 1 1 1 1 1 0.95 1 1 0.94 Shield Absent Shield Absent 0.84 Shield Present Shield Present 0.77 0.78 0.8 0.8 0.70 0.59 0.6 0.6 0.4 0.4 0.2 0.2 0.02 0.01 0.01 Probability the IMD Replies 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 12 2 3 4 5 6 7 8 9 10 11 12 13 1 10 14 13 1 2 3 4 5 6 7 8 9 11 Probability the IMD Changes Treatment Location Location Figure 12 —Without the shield, an adversary using an off-the-shelf Figure 11 —Without the shield, triggering an IMD to transmit and deplete its battery using an off-the-shelf IMD programmer s ucceeds od- programmer to send unauthorized commands (in this case, to m ify therapy parameters) succeeds with high probability. Th e shield with high probability. With the shield, such attacks fail. materially decreases the adversary’s ability to control th e IMD. vely far line-of-sight locations as well as nearby (20 cm) and relati rized commands that trigger the IMD to transmit and those tha t locations (30 m). herapy change its therapy parameters, we show results only for the t To test whether the shield’s jamming is effective against un autho- modification command. rized commands, regardless of which unauthorized command t he Fig. 13 shows the results of this experiment in terms of the ob - adversary chooses to send, we experiment with two types of ad - both on served probability of adversarial success, with the shield versarial commands: those that trigger the IMD to transmit i ts data and off. It also shows the observed probability that the shie ld raises hange with the objective of depleting its battery, and those that c an alarm, which is how the shield responds to a high-powered com- the IMD’s therapy parameters. In each location, we play each ) adversarial transmission. The figure further shows: P (above thresh mand 100 times with the shield on and 100 times with the shield off. After each attempt, we check whether the command was success ful. ion • When the shield is off, the adversary’s increased transmiss To determine whether the first type of command was successful — power allows it to elicit IMD responses from as far as 27 meter s ver i.e., whether it elicited a reply—we sandwiched a USRP obser (location 13) and from non-line-of-sight locations. along with the IMD between the two slabs of meat. To allow the When the shield is on, the adversary elicits IMD responses on • ly USRP observer to easily check whether the IMD transmitted in resence from nearby, line-of-sight locations. Thus, the shield’s p response to the adversary’s command, we configure the shield to raises the bar even for high-powered adversaries. jam only the adversary’s packets, not the packets transmitt ed by the Whenever the adversary elicits a response from the IMD in the • IMD. To determine whether a therapy modification command was d also presence of the shield, the shield raises an alarm. The shiel successful, we use the IMD programmer to read the therapy par am- adversarial transmis- unsuccessful raises an alarm in response to eters before and after the attempt. sions that are high powered and emanate from nearby location s y Fig. 11 and Fig. 12 show the results of these experiments. The (e.g., location 6). While this conservative alert results i n false h the plot the probability that adversarial commands succeed wit positives, we believe it is reasonable to alert the patient t hat an ver- shield off (absent) and on (present), each as a function of ad adversary is nearby and may succeed at controlling the IMD. sary locations. The locations are ordered by decreasing SNR at the USRP observer. The figures show the following: 11. COEXISTENCE • When the shield is off, adversaries located up to 14 meters We investigate how the presence of a shield affects other leg it- away (location 8) from the IMD—including non-line-of-sigh t r imate users of the medium. As explained in §2, the FCC rules fo locations—can change the IMD’s therapy parameters or cause medical devices in the MICS band require such devices to moni tor a n- the IMD to transmit its private data using precious battery e candidate channel for 10 ms and avoid using occupied channel s. As ergy, in contrast to past work in which the adversarial range is a result, two pairs of honest medical devices are unlikely to share limited to a few centimeters [22]. We attribute this increas ed nce the same 300 KHz channel. We focus our evaluation on coexiste adversarial range to recent changes in IMD design that enabl e with the meteorological devices that are the primary users o f the longer-range radio communication (MICS band) meant to sup- . MICS band (and hence can transmit even on occupied channels) ery. port remote monitoring and a larger sterile field during surg In this experiment, we position the IMD and the shield in the When the shield is on, it successfully prevents the IMD from • locations marked on Fig. 6. We make a USRP board alternate be- s a receiving adversarial commands as long as the adversary use tween sending unauthorized commands to the IMD and transmit - device that obeys FCC rules on transmission power—even when is mod- ting cross-traffic unintended for the IMD. The cross-traffic the adversary is as close as 20 cm. particular eled after the transmissions of meteorological devices, in • om- There is no statistical difference in success rate between c a Vaisala digital radiosonde RS92-AGP [1] that uses GMSK mod u- mands that modify the patient’s treatment and commands that lation. For each of the adversary positions in Fig 6, we make t he trigger the IMD to transmit private data and deplete its batt ery. USRP alternate between one packet to the IMD and one cross- orts traffic packet. The shield logs all packets it detects and rep (b) High-powered active adversary: Next, we experiment with which of them it jammed. nsmit scenarios in which the adversary uses custom hardware to tra Post-processing of the shield’s log showed that the shield d id at 100 times the shield’s transmit power. The experimental s etup is not jam any of the cross-traffic packets, regardless of the tr ansmit- ations similar to those discussed above; specifically, we fix the loc ter’s location. In contrast, the shield jammed all of the pac kets that ’s of the IMD and the shield and vary the high-powered adversary it detected were addressed to the IMD; see Table 2. Further, o ur position among the numbered locations in Fig. 6. Each run has two ± software radio implementation of the shield takes 270 23 μ s af- . Since phases: one with the shield off and another with the shield on ter an adversary stops transmitting to turn around and stop i ts own we found no statistical difference in success rate between u nautho-

11 1 1 1 1 1 1 0.98 1 1 1 0.92 1 0.92 Prob. Shield Raises Alarm 0.89 0.87 Prob. IMD responds, Shield Absent 0.74 Prob. IMD responds, Shield Present 0.72 0.8 0.6 0.4 0.3 Probability 0.1 0.2 0.1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 16 15 14 13 12 11 10 17 8 7 6 5 4 3 2 1 9 Location High-powered adversary: Without the shield, an adversary transmitting at 100 times t Figure 13 — he shield’s power can change the IMD’s nly from line-of-sight up to 27 m away. With the shield, the adversary is successful o therapy parameters even from non-line-of-sight locations locations less than 5 m away, and the shield raises an alarm. 0 Cross-Traffic but differs from it in that our jammer can transmit and receiv e at Probability of Jamming Packets that trigger IMD 1 the same time; this allows it to decode IMD messages while pro - tecting their confidentiality. s μ Average 270 Turn-around Time Our work is related to prior work on physical-layer informat ion- s 23 Standard Deviation μ he chan- theoretic security. Past work in this area has shown that if t Jamming behavior and turn-around Coexistence results: — Table 2 nel to the receiver is better than the channel to an eavesdrop per, the ffic. time in the presence of simulated meteorological cross-tra Also, sender-receiver pair can securely communicate [5, 52, 54]. ams our prior work proposes iJam, an OFDM-based technique that j transmissions. This delay is mainly due to the shield’s bein g im- aining while receiving to prevent unauthorized receivers from obt plemented in software. A hardware implementation would hav e a IMDs a protected signal [20]. iJam, however, is not applicable to te, for more efficient turn-around time of tens of microseconds. (No because it relies on the intrinsic characteristics of OFDM s ignals, example, that a 802.11 card can turn around in a SIFS duration of e- which differ greatly from IMDs’ FSK signals. Further, iJam r μ 10 s.) The low turn-around time shows that the shield does not quires changes to both the transmitter and receiver, and hen ce does continuously jam the medium (thereby denying others access to it). not immediately apply to IMDs that are already implanted. Finally, our work also builds on past work on full-duplex ra- 12. RELATED WORK dio [3, 7, 4]. Ours, however, differs from all past works in th at it is the first to demonstrate the value of using full-duplex rad ios for Recent innovations in health-related communication and ne t- nas security. Furthermore, we implement a radio where the anten working technologies range from low-power implantable rad ios evice are placed next to each other so that it can be built as a small d that harvest body energy [27] to medical sensor networks for in- ecures and show both empirically and analytically that our design s home monitoring and diagnosis [51, 55]. Past work has also st udied s than IMDs using only 30 dB cancellation which is significantly les the vulnerabilities of these systems and proposed new desig ns that the 60-80 dB cancellation required by prior work [7, 3]. s foun- could improve their security [21, 22]. Our work builds on thi dation, but it differs from all past works in that it presents the first system that defends existing commercial IMDs against adver saries ds. who eavesdrop on transmissions or send unauthorized comman 13. CONCLUSION Our design is motivated by the work of Halperin et al., who The influx of wireless communication in medical devices brin gs device analyzed the security properties of an implantable cardiac a number of domain-specific problems that require the expert ise of that com- and demonstrated its vulnerability to adversarial actions both the wireless and security communities. This paper addr esses heart promise data confidentiality or induce potentially harmful cal de- the problem of communication security for implantable medi red rhythms [21, 22]. They also suggested adding passively powe om the vices. The key challenge in addressing this problem stems fr elements to implantable devices to allow them to authentica te their difficulty of modifying or replacing implanted devices. We p resent interlocutors. Along similar lines, Denning et al. propose a class of solution the design and implementation of a wireless physical-layer devices called cloakers that would share secret keys with IMDs [6]; that delegates the task of protecting IMD communication to a n ex- nce an IMD would attempt to detect an associated cloaker’s prese ternal device called the shield. Our evaluation shows that t he shield am- either periodically or when presented with an unknown progr d data and effectively provides confidentiality for IMDs’ transmitte mer. Unlike these three proposals, our technique does not re quire shields IMDs from unauthorized commands, both without requ iring at are cryptographic methods and is directly applicable to IMDs th any changes to the IMDs themselves. already implanted. Acknowledgments: We thank Arthur Berger, Ramesh Chandra, Rick Other work has focused on the problem of key distribution for Hampton, Steve Hanna, Dr. Daniel Kramer, Swarun Kumar, Nate Kush- sistent cryptographic security. Cherukuri et al. propose using con man, Kate Lin, Hariharan Rahul, Stefan Savage, Keith Winste in, and Nick- eys at human biometric information to generate identical secret k cknowledge the olai Zeldovich for their insightful comments. The authors a at key different places on a single body [2]. Schechter suggests th financial support of the Interconnect Focus Center, one of th e six research material could be tattooed onto patients using ultraviolet micro- centers funded under the Focus Center Research Program, a Se miconduc- ported by NFS tor Research Corporation program. This research is also sup pigmentation [48]. CNS-0831244, an NSF Graduate Research Fellowship, a Sloan R esearch Our work builds on a rich literature in wireless communica- Fellowship, the Armstrong Fund for Science, and Cooperativ e Agreement wire- tion. Specifically, past work on jamming focuses on enabling No. 90TR0003/01 from the Department of Health and Human Serv ices. Its 29, less communication in the presence of adversarial jamming [ contents are solely the responsibility of the authors and do not necessarily m- 42]. Some past work, however, has proposed to use friendly ja represent the official views of the DHHS or NSF. K. Fu is listed as an inven- ming to prevent adversarial access to RFID tags, sensor node s, and tor on patent applications pertaining to zero-power securi ty and low-power flash memory both with assignee UMass. IMDs [33, 44, 56]. Our work is complementary to this past work

12 14. REFERENCES Proc. IEEE Jamming-resistant wireless broadcast communication. In INFOCOM , 2010. Proc. Symp. [1] J. Åkerberg. State-of-the-art radiosonde telemetry. I n Proc. IEEE In [30] J. Lopatka. Adaptive generating of the jamming signal. ere, Integrated Observing and Assimilation Systems for Atmosph , 1995. Military Communications Conference (MILCOM) Oceans, and Land Surface . American Meterological Society, 2004. Implications [31] W. H. Maisel. Safety issues involving medical devices: a. Biosec: [2] S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupt Journal of recent implantable cardioverter-defibrillator malfunc tions. A biometric based approach for securing communication in wi reless , 2005. of the American Medical Association networks of biosensors implanted in the human body. In vacy of [32] W. H. Maisel and T. Kohno. Improving the security and pri International Conference on Parallel Processing Workshop , 2003. s , New England Journal of Medicine implantable medical devices. [3] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. Ac hieving 362(13):1164–1166, 2010. single channel, full duplex wireless communication. In Proc. ACM [33] I. Martinovic, P. Pichota, and J. Schmitt. Jamming for g ood: A fresh , 2010. MobiCom approach to authentic communication in WSNs. In Proc. ACM Conf. [4] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. A w orking on Wireless Network Security (WiSec) , 2009. , 2010. single channel, full duplex wireless system. In Mobicom Demo revent [34] Medtronic’s Paradigm Veo wireless insulin pump helps p [5] I. Csiszar and J. Korner. Broadcast channels with confide ntial MedGadget—Internet Journal for emerging medical hypoglycemia. messages. IEEE Trans. Inf. Theory , 24(3):339–348, 1978. , 2009. technologies [6] T. Denning, K. Fu, and T. Kohno. Absence makes the heart gr ow ronic.com/. [35] Medtronic Inc. CareLink Programmer. http://www.medt rity. In fonder: New directions for implantable medical device secu ardioverter [36] Medtronic Inc. Concerto II CRT-D digital implantable c , 2008. Proc. USENIX Workshop on Hot Topics in Security (HotSec) defibrillator with cardiac resynchronization therapy. [7] M. Duarte and A. Sabharwal. Full-duplex wireless commun ications http://www.medtronic.com/. Asilomar using off-the-shelf radios: Feasibility and first results. In er [37] Medtronic Inc. Virtuoso DR/VR implantable cardiovert Conference on Signals, Systems, and Computers , 2010. defibrillator systems. http://medtronic.com/. of the error [8] D. Eckhardt and P. Steenkiste. Measurement and analysis [38] H. Meyr, M. Moeneclaey, and S. A. Fechtel. Digital Communication characteristics of an in-building wireless network. In Proc. ACM Receivers: Synchronization, Channel Estimation, and Sign al SIGCOMM , 1996. . Wiley, 1998. Processing /ettus.com/. [9] Ettus Inc. Universal Software Radio Peripheral. http:/ [39] D. Panescu. Wireless communication systems for implan table [10] European Telecommunications Standard Institute. ETS I EN 301 , 2008. IEEE Eng. in Medicine and Biology Mag. medical devices. 839-1 V1.3.1, 2009. [40] PCTest Engineering Labs, Inc. Certificate of complianc e, fcc part 95 Medical Design Tech. , 2004. [11] C. Falcon. Inside implantable devices. certification, test report number: 95.220719375.lf5, 2002 . ch. [12] Federal Communications Commission. FCC ID number sear e, fcc part 95 [41] PCTest Engineering Labs, Inc. Certificate of complianc http://www.fcc.gov/searchtools.html. and en 301 839-2, test report number: 0703090168.med, 2007. ant [13] Federal Communications Commission. MICS Medical Impl apkun. Jamming-resistant broadcast [42] C. Pöpper, M. Strasser, and S. C /I Communication Services, FCC 47CFR95.601-95.673 Subpart E , 2009. USENIX Security Sym. communication without shared keys. In Rules for MedRadio Services. ingh, H. V. [43] B. Radunovic, D. Gunawardena, P. Key, A. Proutiere, N. S edical [14] K. Fu. Inside risks: Reducing the risks of implantable m , low Balan, and G. Dejean. Rethinking indoor wireless: Low power devices: A prescription to improve security and privacy of p ervasive arch, 2009. frequency, full-duplex. Technical report, Microsoft Rese , 52(6):25–27, 2009. Communications of the ACM health care. [44] M. Rieback, B. Crispo, and A. Tanenbaum. RFID Guardian: A Public Health [15] K. Fu. Trustworthy medical device software. In battery-powered mobile device for RFID privacy management . In ng Effectiveness of the FDA 510(k) Clearance Process: Measuri Proc. Australasian Conf. on Information Security and Priva cy , 2005. . eport Postmarket Performance and Other Select Topics: Workshop R [45] D. Sagan. Rf integrated circuits for medical applicati ons: Meeting the IOM (Institute of Medicine), National Academies Press, 201 1. nductor. challenge of ultra low power communication. Zarlink Semico [16] GNU Radio. http://gnuradio.org/. http://stf.ucsd.edu/presentations. [17] A. Goldsmith. Wireless Communications . Cambridge University duti, S. Sen, [46] N. Santhapuri, R. R. Choudhury, J. Manweiler, S. Nelaku Press, 2005. g and K. Munagala. Message in message mim: A case for reorderin [18] S. Gollakota, F. Adib, D. Katabi, and S. Seshan. Clearin g the RF ACM HotNets-VII , 2008. transmissions in wireless networks. In smog: Making 802.11 robust to cross-technology interferen ce. In azdandoost, [47] K. Sayrafian-Pour, W. Yang, J. Hagedorn, J. Terrill, K. Y ACM SIGCOMM , 2011. and K. Hamaguchi. Channel models for medical implant [19] S. Gollakota, N. Ahmed, N. Zeldovich, and D. Katabi. Sec ure Inter. Journal of Wireless Info. Networks communication. , 2010. in-band wireless pairing. In USENIX Security Sym. , 2011. [48] S. Schechter. Security that is meant to be skin deep: Usi ng ultraviolet [20] S. Gollakota and D. Katabi. Physical layer security mad e fast and antable micropigmentation to store emergency-access keys for impl , 2011. channel-independent. In Proc. IEEE INFOCOM medical devices. In USENIX Workshop HealthSec , 2010. [21] D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W . H. ical devices: [49] M. Scheffler, E. Hirt, and A. Caduff. Wrist-wearable med Maisel. Security and privacy for implantable medical devic IEEE es. Technologies and applications. Medical Device Technology , 2003. Pervasive Computing , 7(1), 2008. Bell . [50] C. E. Shannon. Communication theory of secrecy systems [22] D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Cl ark, , 28(4):656–715, 1949. System Technical Journal B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. , and [51] V. Shnayder, B. Chen, K. Lorincz, T. R. F. Fulford-Jones Pacemakers and implantable cardiac defibrillators: Softwa re radio M. Welsh. Sensor networks for medical care. Technical Repor t attacks and zero-power defenses. In Proc. IEEE Symposium on TR-08-05, Harvard University, 2005. Security and Privacy , 2008. [52] M. J. Siavoshani, U. Pulleti, E. Atsan, I. Safaka, C. Fra goulia, [23] Industry Canada. Radio Standards Specification RSS-24 3: Medical K. Argyraki, and S. Diggavi. Exchanging secrets without usi ng Devices Operating in the 401–406 MHz Frequency Band. Spectr um cryptography. , 2011. arXiv:1105.4991v1 Management and Telecommunications, 2010. [53] D. Tse and P. Vishwanath. Fundamentals of Wireless [24] International Telecommunications Union. ITU-R Recom mendation . Cambridge University Press, 2005. Communications RS.1346: Sharing between the meteorological aids service a nd [54] A. Wyner. The wire-tap channel. , 1975. Bell Sys. Technical Journal medical implant communication systems (MICS) operating in the [55] S. Xiao, A. Dhamdhere, V. Sivaraman, and A. Burdett. Tra nsmission mobile service in the frequency band 401–406 MHz, 1998. power control in body area sensor networks for healthcare [25] Jackson Labs. Fury GPSDO. http://www.jackson-labs.c om/. IEEE Journal on Selected Areas in Comm. monitoring. , 2009. [26] W. C. Jakes. Microwave Mobile Communications . Wiley, 1974. ring [56] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. IMDGuard: Secu [27] M. Koplow, A. Chen, D. Steingart, P. Wright, and J. Evans . Thick rdian. In implantable medical devices with the external wearable gua al film thermoelectric energy harvesting systems for biomedic , 2011. Proc. IEEE INFOCOM applications. In , 2008. Proc. Symp. Medical Devices and Biosensors [57] Zephyr Inc. BioHarness BT. http://www.zephyr-techno logy.com. g, usability [28] C. Kuo, J. Walker, and A. Perrig. Low-cost manufacturin ac device [58] C. Zhan, W. B. Baine, A. Sedrakyan, and S. Claudia. Cardi -fi and security: An analysis of bluetooth simple pairing and wi implantation in the US from 1997 through 2004: A population- based Usable Security Workshop , 2007. protected setup. In , 2007. Journal of General Internal Medicine analysis. [29] Y. Liu, P. Ning, H. Dai, and A. Liu. Randomized different ial DSSS:

Related documents

Numerical Recipes

Numerical Recipes

Sample page from NUMERICAL RECIPES IN C: THE ART OF SCIENTIFIC COMPUTING (ISBN 0-521-43108-5) Permission is granted for internet users to make one paper copy for their own personal use. Further reprod...

More info »
vol9 organic ligands

vol9 organic ligands

C HERMODYNAMICS HEMICAL T OMPOUNDS AND C OMPLEXES OF OF C U, Np, Pu, Am, Tc, Se, Ni and Zr O ELECTED WITH RGANIC L IGANDS S Wolfgang Hummel (Chairman) Laboratory for Waste Management Paul Scherrer Ins...

More info »
chemical table

chemical table

UPS Chemical Table - 49 CFR Version (Ground and Air Packages) GROUND AND AIR GROUND SHIPMENTS SHIPMENTS AIR SHIPMENTS BASIC DESCRIPTION FOR GROUND AND AIR Symbols: "‡" Requires a Technical Name / "*" ...

More info »
2017 NAICS Manual

2017 NAICS Manual

ORTH N A MERICAN I NDUSTRY LASSIFICATION C YSTEM S United States, 2017 EXECUTIVE OFFICE OF THE PRESIDENT AND BUDGET OFFICE OF MANAGEMENT

More info »
Little science, big science   and beyond

Little science, big science and beyond

LITTLE SCIENCE, BIG SCIENCE .AND . . BEYOND Derek J. de Price Sol la

More info »
ERG2016

ERG2016

2016 A guidebook intended for use by first responders A guidebook intended for use by first responders transportation incident during the initial phase of a during the initial phase of a transportatio...

More info »
How to Write a Good Scientific Paper

How to Write a Good Scientific Paper

How to Write a Good Scientific Paper Chris A. Mack

More info »
Technical Line: Lessee model comes together as leases project progresses

Technical Line: Lessee model comes together as leases project progresses

Applying IFRS IFRS 15 Revenue from Contracts with Customers A closer look at IFRS 15, the revenue recognition standard (Updated October 2018)

More info »
Managing the Risks of Extreme Events and Disasters to Advance Climate Change Adaptation

Managing the Risks of Extreme Events and Disasters to Advance Climate Change Adaptation

MANAGING THE RISKS OF EXTREME EVENTS AND DISASTERS TO ADVANCE CLIMATE CHANGE ADAPTATION SPECIAL REPORT OF THE INTERGOVERNMENTAL PANEL ON CLIMATE CHANGE

More info »
PB

PB

OFFICIAL 2019 CONNECTICUT PRACTICE BOOK (Revision of 1998) CONTAINING RULES OF PROFESSIONAL CONDUCT CODE OF JUDICIAL CONDUCT RULES FOR THE SUPERIOR COURT RULES OF APPELLATE PROCEDURE APPENDIX OF FORMS...

More info »
435 441 458 467r e

435 441 458 467r e

WT/DS435/R, WT/DS441/R WT/DS458/R, WT/DS467/R 28 June 2018 Page: (18 - 1/884 4061 ) Original: English AUSTRALIA CERTAIN MEASURES CON CERNING TRADEMARKS, – PACKAGING IONS AND OTHER PLAIN GEOGRAPHICAL I...

More info »
Why Forests? Why Now? The Science, Economics and Politics of Tropical Forests and Climate Change

Why Forests? Why Now? The Science, Economics and Politics of Tropical Forests and Climate Change

WHY FORESTS? WHY NOW? The Science, Economics and Politics of Tropical Forests and Climate Change Frances Seymour Jonah Busch

More info »
PowerPoint Presentation

PowerPoint Presentation

, ! h d c r te i a n c i e s t i d e r t e e h d g s i o l d o b n g u a p o t d D i t o D t e g w [email protected] Riverside, CA 92521 o IGK S Eamonn Keogh H University of California - Riverside Com...

More info »
Ludovico, Alessandro   Post Digital Print. The Mutation of Publishing Since 1894

Ludovico, Alessandro Post Digital Print. The Mutation of Publishing Since 1894

Post- Digital Print The Mutation of Publishing since 1894 Alessandro Ludovico OnOmat Opee 77

More info »
2018 Report Book 10 29.indb

2018 Report Book 10 29.indb

THE EXPANDING NEWS DESERT PENELOPE MUSE ABERNATHY Knight Chair in Journalism and Digital Media Economics The Expanding News Desert | 1

More info »
What Works in Girls' Education: Evidence for the World's Best Investment

What Works in Girls' Education: Evidence for the World's Best Investment

Foreword by Malala Yousafzai With a foreword by Winthrop s Malala Yousafzai p E Student, Nobel Peace Prize Laureate, and Cofounder of the Malala Fund rlin in What Works G Hard-headed evidence demonstr...

More info »
CBEC Electoral Board Decisions

CBEC Electoral Board Decisions

BOARD OF ELECTION COMMISSIONERS THE CITY OF CHICAGO FOR INDEX OF ELECTORAL BOARD DECISIONS April 201 4

More info »
Computer Vision: Algorithms and Applications

Computer Vision: Algorithms and Applications

Computer Vision: Algorithms and Applications Richard Szeliski September 3, 2010 draft c © 2010 Springer This electronic draft is for non-commercial personal use only, and may not be posted or re-distr...

More info »
pguo PhD grind

pguo PhD grind

T P H .D. G RIND HE A Ph.D. Student Memoir Philip J. Guo [email protected] Third Anniversary Reprint with margin notes from the perspective of a first-year assistant professor This book is free, but...

More info »